Preventing unsafe operation by monitoring switching means

ABSTRACT

An electronic control that monitors the switching means used to operate transducers to detect conditions that can cause improper transducer operation. In the application the unenergized state of the transducer is always safe. Should a switch in the transducer circuitry be in an erroneous state, the control uses another switch to prevent improper operation of the transducer without requiring the involvement of the operator. Monitoring enables the control to prevent transducer operation before failures allow hazardous operation. Any switching means, activated by the control, an override, or both may be monitored as long as its intended state is known to the control. The control can also open the transducer circuitry when an externally controlled switch in the transducer circuitry changes state at a destructive rate.

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] Not Applicable

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH

[0002] Not Applicable

REFERENCE TO SEQUENCE LISTINGS

[0003] Not Applicable

BACKGROUND OF THE INVENTION

[0004] The present invention relates to controls that operate transducers. In particular to controls that operate transducers that if erroneously active may result in hazardous operation but are always safe when inactive. In this application, a transducer is a device whose function is to turn the electrical energy into some other energy form. As the operation of the transducers may also be suspended by external switches or circuits the present invention is related to devices that include override(s).

[0005] Controls operate transducers using switching means hereinafter referred to as a switch, that may be a switch, relay, transistor, other solid state switch, or the like. Controls use either open or closed loop systems. In an open loop system any failure of switch goes undetected. True closed loop systems monitor the output of transducers, indirectly this may react to a switch in an erroneous state after the fault affects output but it is an expensive and less reliable means to detect switch failures. Further unless the feedback results in opening every switch in a transducer circuit, a switching failure(s) can still produce erroneous operation while the circuit still has a functional switch since the faulty switch(s) could be the one the feedback uses to alter operation.

[0006] U.S. Pat. No. 5,760,493 addresses the problem of improper transducer operation in appliances. The method does not detect faults. The intention of

[0007] U.S. Pat. No. 5,760,493 is to limit improper transducer operation should one of its switches fail. In this approach two switches must be closed to permit transducer operation. If one switch shorts the transducer is erroneously active when the functional switch is closed to operate another transducer. This method only prevents improper operation during part of a cycle. Since faults are not detected, operation continues allowing the possibility of additional faults developing, further compromising safe operation.

[0008] U.S. Pat. No. 5,760,493 points out that switching faults are not uncommon when driving large inductive loads. The appliance industry has relied on a plurality of switches to ensure that operation of transducers is stopped at least at the end of a cycle. This plurality of switches includes overrides which directly switch the transducers. However the plurality of switches adds to the cost and reduces overall system reliability.

[0009] U.S. Pat. No. 4,866,955 uses switching means to prevent an appliance from operating if its door or lid switch or has not been opened since the end of the last cycle. The intended state of the switch is not known, it is assumed that the switch must open between cycles. The control is therefore incapable of stopping the appliance should the switch fail to open as intended during a cycle.

[0010] The prior art shown in U.S. Pat. Nos. 3,367,089, 4,307,392, 4,951,037, shows methods of detecting switching faults that affect transducers. The transducers are display elements. U.S. Pat. Nos. 4,307,392 and 4,951,037 determine the functionality of the transducer and any fault causing any switch to be in an erroneous state. U.S. Pat. No. 3,367,089 only detects faults affecting the switches. These approaches apply only to switching means operated solely by the control.

[0011] The application of transducers in these patents can produce unsafe conditions when erroneously unenergized. For this reason the methods in these patents seek to detect erroneously unenergized transducers in addition to detecting erroneously energized transducers. Additionally U.S. Pat. Nos. 4,307,392 and 4,951,037 seek to verify the functionality of the transducer. These are burdens the present invention does not share. In the applications of the present invention a fault in the switching means or its transducer causing it to be inactive does not pose a safety hazard.

[0012] In the display verification patents no method is presented to automatically stop hazardous transducer operation. The approach is to signal the operator that a fault has been found to prevent a fault from causing a hazard. If the operator does not receive the fault indicating signal, operation remains potentially unsafe. While the control of the present invention may signal the operator that a fault has been detected, if the operator fails to observe this signal operation is still safe because the control halts transducer operation.

DESCRIPTION OF DRAWINGS

[0013]FIG. 1 is a schematic of the control interfacing to the ac source and motor.

[0014]FIG. 2 is a schematic of the circuits used to drive the dc valves.

[0015]FIG. 3 shows the signals produced on the control inputs connected to ac nodes.

SUMMARY OF INVENTION

[0016] The present invention is a control with means to verify the switches in the energizing circuitry of transducer(s) are in the intended state. If a fault is detected, the control automatically uses another switch to open the affected circuit to prohibit the transducer from being erroneously energized. Improper transducer activation is prevented not just limited. While the control may attempt to signal the operator of a fault, hazardous operation is suspended without requiring operator knowledge of the fault. The present invention can detect faults in any switch, including externally operated switching, as long as the intended state of the switch is known to the control.

[0017] While commonly either on or off, variable switching is included as long as the control can determine when a transducer is unenergized (switch open). The signal to have a switch open a transducer circuit may originate at: 1) the control. 2) an override. 3) either the control or an override. When the scan of a switch indicates it is in the wrong state, another switch is employed to stop and/or prevent current to the transducer.

[0018] Failures in the switch itself, in the interfacing of the control or an override to that switch, or an incorrectly open or shorted path in the energizing circuitry can cause the switch to be non-functional. Scanning the energizing circuitry allows the control to detect non-functional switches regardless of the cause.

[0019] As long as one control operated switch in a circuit is functional the control is able to prevent operation of the transducer(s) in a faulty circuit. The scanning methods included and introduced in an application filed concurrently by the same inventor are very inexpensive. In many cases one resistor connecting a single digital input to a node common to similar transducers allows the control to verify the state of the switches for a plurality of transducers.

[0020] The preferred implementation of an override is to share with the control a monitored transducer switch(s) that either can open regardless of the functionality of the other. The ability of an override to stop operation independently of the control is maintained and the control can signal the switch to open at anytime to verify its functionality. Fewer load switches lower cost and increase reliability. Further the control can monitor the override input to the transducer switch, should the primary load switch fail to open as the override dictates, the control opens the transducer circuit with a backup switch(s).

[0021] Generally the only non-functional switches the control must detect are erroneously closed. An exception is when the switch(s) of a transducer circuit determines the polarity of the voltage across a transducer. If the state of any switch permits an incorrect voltage to be present at the transducer the control opens a switch(s) ensuring the transducer can not be energized.

[0022] The control can also open a transducer circuit when the frequency at which an externally operated switch changes state rather than the state itself can lead to hazardous operation. The control extends the period the transducer circuit is open reducing the switching rate. This prevents damage to the switch and/or the transducer.

DESCRIPTION OF PREFERRED EMBODIMENT

[0023] Although the following embodiment is a commercial washing machine employing relays to switch a 120 vac motor and transistors to switch 24 v valves it is to be understood that the inventor contemplates the invention being applied to other devices with the same or different transducers and switching means operating off various voltages.

[0024] In the preferred embodiment the control scans the circuitry used to energize the +24 v solenoid valves P1-5 and the 120 vac motor 60 of a commercial washing machine the control operates. If a fault in the circuitry is found that could cause a valve or the motor to be erroneously energized, the control uses another switch to open or keep open the faulty circuitry until it is repaired. Then the control signals the operator that the washer requires service.

[0025] The motor drive circuitry is shown in FIG. 1 and the valve drive circuitry is shown in FIG. 2. In addition to the valves and motor, the washer includes a power supply 10 that produces +24 v, +5 v relative to ground that is in common with ac source ground. The switches of the energizing circuitry in this embodiment include the output transistors of U2, transistor T2, relays K1-K4, centrifugal switch S3 and thermal limit switch S4.

[0026] Switches S1-S4 are overrides. Switches S3-S4 directly switch the motor. Pressure switch S1 shares operation of T2 with the control enabling either to open the valves P1-P5. The pressure switch S1 is closed until the fill level is reached. The lid switch S2 shares operation of K1 with the control enabling either to stop the motor. S2 is closed when the lid of the washer is closed. The motor start switch S3 ensures the HIGH and START windings are energized to start the motor, it opens shortly after the motor starts. The thermal switch S4 is closed unless the motor overheats.

[0027] The motor is switched using relays K1-K4. FIG. 1 shows the interfacing of the control to the ac source and the motor. The thermal limit switch S4 and both K1 and K2 must close to turn on the motor. K1 is the switching relay responsible for starting and stopping the motor. K2 is the safety relay and serves as the backup switch for K1. Both K1 and K2 are protected by varistor V2 to limit arcing when either is opened.

[0028] The speed of the motor is determined by K3. When K3 is energized the motor will run in HIGH. When K3 is unenergized the motor will start in HIGH and run in LOW once the centrifugal switch S3 opens shortly after the motor starts. The direction the motor turns is determined by the polarity of the connections made by K4 though C1 and S3 to the START winding. When K4 is energized the washer will agitate. When K4 is off the washer will spin. When the motor reaches speed, the centrifugal switch S3 opens the START winding circuit and switches the motor speed to LOW if K3 is unenergized.

[0029] The control uses the npn transistor driver IC U2 to turn on K2, K3 and K4. The coil of each of these relays has a direct connection to +24 v. Q1 connects K2 to ground when RC7 takes D1 high. Q2 connects K3 to ground when RC6 takes D2 high. Q3 connects K4 to ground when RC5 takes D3 high. The control only partially controls the operation of K1. The connection of K1 to +24 v is made through T7. U1 turns on T7 by turning on T5 through R5. When on, T5 takes the common node of R7, R6 and T7 low enough to turn on T7. The connection of K1 to ground is made directly by the lid switch S2 and/or by Q3 through D13. The diode D14 protects S2, diode D9 protects T7 and the internal diodes of U2 protect its output transistors when the coils of the relays are turned off.

[0030] To start the washer in agitate Q3 connects K4 to ground. In agitate Q3 also connects the coil of K1 to ground through D13. In agitate opening the lid switch S2 has no effect on the operation of the washer. To start the washer in spin Q3 disconnects K4 from ground and leaving S2 as the sole connection of K1 to ground. In spin if S2 opens K1 will open stopping the motor regardless of the state and functionality of U1 and T7.

[0031] The control verifies the state of the ac switches K1, K2 and K4. The sensing means for the relays also determines the state of the thermal switch S4. If the thermal switch S4 is open the control suspends operation until the motor cools sufficiently to close S4. If K1 or K2 is erroneously closed when the motor is off, the control will not close the other until repairs have been made. If K1 fails to open as intended by the control or the lid switch S2, the control opens K2 stopping the motor until repairs are made. The state of K4 is verified to ensure that the motor is started in the proper direction. If the connections to the START winding are not at the proper voltages during start up the control opens K1 to stop the motor.

[0032] The signals on RA0-RA2 produced by the connections through R2, R8 and R9 respectively are used to determine the state of the ac switches. The ac nodes driving these inputs are in one of three states—L1, Neutral or floating. A node at L1 produces the truncated 60 hz sine wave in FIG. 3A. A floating node is taken high by the pull-up resistor (R1, R11 or R12) on its input producing the signal in FIG. 3B. A Neutral node produces a low input signal in FIG. 3C. The resistance of each connection is sufficient to allow the input protection diodes of inputs RA0-RA2 and RTCC to limit the signals to +5.6 v and −0.6 v, a safe range for U1. The input RTTC is connected to L1 through R10 producing the signal in FIG. 3A.

[0033] Before the functionality of switches at least partially operated by the control can be verified, the control verifies that the override switch S4 is closed. When S4 is closed either RA1 or RA2 (or both RA1 and RA2 when either K1 or K2 is open) will have the signal produced by a Neutral node—FIG. 3C. When S4 is open neither RA1 or RA2 has the signal in FIG. 3C since there is no connection to Neutral. To verify that S4 is closed RA1 and RA2 are read when RTCC goes high. If at least one is low, S4 is closed since only a Neutral node is low when RTCC is high.

[0034] With S4 closed, the control scans the state of K1, K2 and K4. To verify the states of K1 and K2 the control reads the signal on RA0 through R2. Before a cycle is started the ac node sensed by RA0 is floating if K1 and K2 are open as expected. R1 pulls RA0 high when the ac node is floating (FIG. 3B). If K2 alone has shorted the ac node connected to RA0 is at Neutral producing the signal in 3C. If K1 is closed the ac node is at L1 producing the 60 hz signal in FIG. 3A. The control reads RA0 when RTCC goes low, if RA0 is high both K1 and K2 are open. If it is low there is a fault and the control will not close K1 or K2 to start a cycle until repairs are made.

[0035] The control also checks the state of the switching relay K1 each time the motor is stopped. K1 is opened by the control to stop the motor as required during a cycle or by the opening of the lid switch S2 when the motor is rotating in the spin direction. The control reads the state of S2 on RB1 through R3. In spin R4 pulls RB1 high if S2 is open. The state of K1 is verified each time either the control or S2 attempts to open it. If K1 has opened the signal on RA1 is pulled low through K2 by the connection of the motor to Neutral. If RA0 is not low when RTCC goes high the control opens K2 stopping the motor until repairs can be made.

[0036] The control also monitors the connections of K4 to the START winding to verify the motor will rotate in the correct direction. In the operation of this washer it is critical that the motor stops if S2 is opened during spin. If a fault causes the START winding to have the incorrect voltage when the motor is started the washer could be in spin when the control intends for it to be in agitate. In this state the motor would not stop when S2 is opened during this erroneous spin since S2 has no effect on the motor in agitate.

[0037] To start the motor in agitate, K4 is energized. When functioning correctly the ac node sensed by RA1 is at L1 and the ac node sensed by RA2 is at Neutral producing the signals in FIGS. 3A and 3C respectively. When RTCC goes high RA1 should be high and RA2 should be low. When RTCC goes low both RA1 and RA2 should be low. If either of these conditions are not met the control stops the operation of the motor by opening K1 using K2 as backup until repairs are made.

[0038] The method shown to scan the ac circuitry depends on the sharing of ground between the source and the supply. In consumer appliances the common ground approach is generally not employed. An application filed concurrently by the same inventor provides a cost effective method of sensing ac path states, including paths containing switches, when the control is floating relative to the ac source.

[0039] In addition to monitoring the state of K1 and K2 the control monitors the frequency at which the K1 is switched in spin by S2. Should the rate of switching become destructive, the time K1 is open is prolonged by taking RB0 low turning off T7. This breaks the connection of K1 to +24 v preventing the motor from restarting when S2 is closed. After pausing to allow the contacts of K1 to cool RB0 goes high turning on T7 allowing normal operation to resume. The rate is monitored by reading RA0 whenever RTCC is high. If K1 is open RA0 is low if K1 is closed RA0 is high. The frequency at which K1 is switched by S2 can also be indirectly monitored by reading the input RB1.

[0040] The valves are switched using transistors as shown in FIG. 2. Transistor T2 completes the valve connections to +24 v. The npn transistors of U2 outputs Q8-Q4 complete the valve connections to ground. D10 protects T2 when it switches the valves. U2 has internal protection diodes on its outputs to protect it.

[0041] To energize a valve, both T2 and the corresponding output line of U2 (Q8-Q4) must be switched on. If the control detects a short of T2 to +24 v or a short of any valve line Q8-Q4 to ground the control will use the functional transistor(s) to open or keep open valve circuitry until repairs can be made.

[0042] Q8 switches the hot valve P1, Q7 switches the detergent valve P2, Q6 switches the fabric softener valve P3, Q5 switches the cold valve P4, and Q4 switches the bleach valve P5. Outputs Q8-Q4 are turned on when U1 take inputs D8-D4 high using RC0-RC4.

[0043] R15 turns off T2 if S1 is open or T3 is off. T2 is on when the path from its base to ground through S1, R17 and T3 is complete. U1 turns on T3 through R18 by taking RB4 high. When S1 opens, a functional T2 opens regardless of the functionality of the rest of the control.

[0044] The state of the valve switches, T2 and Q8-Q4, are scanned using input RB2 through R34. The resistance of R34 is sufficient to permit the input protection diodes of U1 to limit the input voltage on RB2 to +5.6 v. The scan detects any fault causing T2 or Q8-Q4 to be erroneously on. If a short is detected when the valves are inactive the control will not start a fill keeping the functional transistor(s) off. The switches are also scanned at the end of a fill. T2 is always used to turn off the valves for all dispensing. If T2 fails to open the circuitry, U2 is cleared turning off Q4-Q8 deenergizing the valve(s).

[0045] Before a fill starts both T2 and the individual valve lines Q4-Q8 are off. R14 pulls input RB2 high unless a U2 output drive(s) Q4-Q8 has shorted to ground pulling RB2 low indicating the failure. If no valve line has shorted to ground, the control turns on the valve line(s) to be used, pulling RB2 low unless T2 has shorted. If T2 has shorted to +24 v, RB2 would remain high.

[0046] When a fault is detected the control will not start a fill cycle. For the transistors energizing the valves or their selection means to cause flooding, both T2 and a U2 output would have to short to their respective supply voltage between scans since the control will open the valves using the other transistor at the first failure.

[0047] The functionality of the valve switches is also checked when the fill is complete. A fill is complete when the pressure switch S1 opens or when U1 takes RB4 low turning off T3 to end a timed dispense. For a measured fill the control reads the state of S1 on RB3 through R16. The resistance of R16 is sufficient to permit the input protection diodes to limit the input voltage on RB3 to +5.6 v. R16 also prevents a fault shorting RB3 to ground from turning on T2. When S1 opens during a fill RB3 goes low. In either type of fill, the valve(s) are switched off when the base to ground connection of T2 is broken by opening either S1 or T3. When T2 opens RB2 should be low. If not the control clears U2 turning off Q4-Q8.

[0048] While the pressure switch S1 could also be monitored for destructive switching as is done with S2, T2 is much less likely to fail due to switching rate and given the hysteresis of the pressure switch S1 it is unlikely to be switched at an excessive rate.

[0049] While the embodiment present employs only one backup switch per transducer it is within the scope of this invention to include more. Further operation of the device can continue indefinitely or to a preferred time such as the end of a cycle after a fault is found by using a backup switch to perform the function of the failed one. With multiple backups operation can continue until only one functional switch remains.

[0050] Alternatively upon detection of a fault the control can trigger a fuse or circuit breaker to open, permanently stopping transducer operation until repairs are made. 

It is claimed:
 1. An electronic control including sensing means to scan the energizing circuitry of one or more transducers, the expected unenergized state of said transducers being safe in the application, said circuitry including switches whose intended states are otherwise known to said control, said sensing means enabling said control to identify said switches as functional or non-functional, said control preventing any of said switches identified as non-functional from causing improper transducer operation by opening one or more of said switches identified as functional.
 2. The control in accordance with claim 1 wherein said sensing means also determines the state of at least one externally operated switch in said circuitry whose intended state is otherwise unknown to said control.
 3. The control in accordance with claim 1 wherein at least one sensor of said sensing means scans said switches in a plurality of circuits of said circuitry.
 4. The control in accordance with claim 1 wherein said control signals the operator it has identified one or more of said switches as non-functional.
 5. An electronic control including sensing means to scan the energizing circuitry of one or more transducers, the expected unenergized state of said transducers being safe in the application, said circuitry including switches whose intended states are otherwise known to said control, said sensing means enabling said control to identify said switches as functional or erroneously closed, said control using at least one of said switches identified as functional as backup to prevent any of said switches identified as erroneously closed from causing improper transducer operation.
 6. The control in accordance with claim 5 wherein at least one of said switches can be independently opened by either said control or an override.
 7. The control in accordance with claim 6 wherein said control signals the operator it has identified one or more of said switches as erroneously closed.
 8. The control in accordance with claim 5 wherein said control continues operation using said backup to ensure correct transducer operation.
 9. The control in accordance with claim 8 wherein said control signals the operator it has identified one or more of said switches as erroneously closed
 10. The control in accordance with claim 5 wherein at least one sensor of said sensing means scans said switches in a plurality of circuits of said circuitry.
 11. The control in accordance with claim 5 wherein said sensing means also determines the state of at least one externally operated switch in said circuitry whose intended state is otherwise unknown to said control.
 12. An electronic control monitoring the frequency at which one or more transducers are switched, the expected unenergized state of said transducers being safe in the application, said control prolonging the period said transducers are off by opening a switch in the energizing circuitry of said transducers if said frequency becomes destructive.
 13. The control in accordance with claim 12 wherein said control monitors said frequency using sensing means that scan the energizing circuitry of said transducers.
 14. The control in accordance with claim 13 wherein said circuitry includes switches whose intended states are otherwise known to said control, said sensing means enabling said control to identify said switches as functional or non-functional, said control preventing any of said switches identified as non-functional from causing improper transducer operation by opening one or more of said switches identified as functional.
 15. The control in accordance with claim 14 wherein said sensing means also determines the state of at least one externally operated switch in said circuitry whose intended state is otherwise unknown to said control.
 16. The control in accordance with claim 14 wherein at least one sensor of said sensing means scans said switches in a plurality of circuits of said circuitry.
 17. The control in accordance with claim 14 wherein said circuitry includes switches whose intended states are otherwise known to said control, said sensing means enabling said control to identify said switches as functional or erroneously closed, said control using at least one of said switches identified as functional as backup to prevent any of said switches identified as erroneously closed from is causing improper transducer operation.
 18. The control in accordance with claim 17 wherein at least one of said switches can be independently opened by either said control or an override.
 19. The control in accordance with claim 17 wherein at least one sensor of said sensing means scans said switches in a plurality of circuits of said circuitry.
 20. The control in accordance with claim 17 wherein said sensing means also determines the state of at least one externally operated switch in said circuitry whose intended state is otherwise unknown to said control. 